in many respects mirrors the initiatives taken by India in it’s document on framework of cyber security.

A document issued by security brass of the country, which was reviewed by ET, cites at least 12 instances where the US order mirrors India’s cyber security framework that was drafted in 2011. These include setting out a cyber security policy, defining critical infrastructure, information sharing between departments and protection of civil liberties.

Reading this, two things jump out – the insecurity that this claim projects and the fact that frameworks and plans like these are not even worth the cost of paper it is written on [1] if it is not put to practise. Given that the GoI’s National Cyber Security Policy (Draft PDF) wants the CERT-IN to

act as a nodal agency and co-ordinate all matters related to information security in the country

we shouldn’t expect getting out of this self-dug pit any time soon.

[1] Yup, I said “paper” because, you know what, a lot of GoI reports and documents are scans of printed documents!

]]>It is high time to move away from Google Feedburner. If you have already subscribed to feeds of Vyuha, please edit the subscription to point to locally hosted http://vyuha.nationalinterest.in/feed/ By the end of next week, the feed hosted by Feedburner will be deleted and redirected to the earlier mentioned feed.

Sorry for the inconvenience but we think that, overall this is in the best interest of everyone, especially the subscribers.

Govt orders probe into cyber attack on DRDO – Fluttered by reports that computers of the Defence Research and Development Organisation (DRDO) having highly sensitive information were hacked by Chinese hackers, the Centre has initiated a probe into the issue on Wednesday.

A new infosec era? Or a new infosec error? – On March 4, 2013, a contest was held at the Nullcon conference in Goa, India, to see who could take over a botnet. The Times of India reported that the prize money was provided by an Indian government official and was awarded to the Garage4Hackers team. (…) A contest is the least controlled, riskiest, noisiest, and most irresponsible way to deal with a criminal botnet I can imagine.

On the web front – This unfolding US-China duel in cyberspace is a stark reminder that not only is the strategic rivalry between the world's two most powerful countries becoming full-fledged, but it could also spread into dangerous territories if neither side sets the minimum rules of engagement.

Experts Say It’s Time to Prepare for a ‘Post-Crypto’ World | threatpost – In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important and defenders need to start thinking about new ways to protect data on systems that they assume are compromised, one of the fathers of public-key cryptography said Tuesday. Adi Shamir, who helped design the original RSA algorithm, said that security experts should be preparing for a "post-cryptography" world

The DoT has decided that it will be going ahead with a 100 per cent domestic sourcing and has released a list of certified GPON suppliers. (…) Local companies that made it to the certified list include Tejas Networks, Prithvi Infosystems, Center for Development of Telematics (C-DoT), VMC Systems, Sai Systems, United Telecoms, and SM Creative.

This follows the decision by US House Intelligence Committee which branded ZTE and Huawei as national threat:

The House Intelligence Committee said that after a yearlong investigation it had come to the conclusion that the Chinese businesses, Huawei Technologies and ZTE Inc., were a national security threat because of their attempts to extract sensitive information from American companies and their loyalties to the Chinese government.

While is is good that the GoI decided to look beyond the Chinese companies when considering possible threats, the question it raises is, isn’t it turtles all the way down? Is it certified that the local companies will use 100% indigenously developed components and if not, why is it better to prefer a “Assembled in India” sticker?

The FOFN project is a high investment and long term project that will power the infrastructure of Indian network for some time to come. So it is prudent for the GoI to tighten the security but it cannot be an isolated event. Nor is it viable to blanket-ban all foreign companies and technologies from such infrastructure and other sensitive projects. I hope someone higher up is thinking and acting seriously on an Information Assurance program within the scope of Critical Infrastructure Protection.

]]>General William Shelton, who heads Air Force Space Command and oversees the Air Force’s cyber operations, comments that Iran will be a “force to be reckoned with” in the future after it has perceivably strengthened its cyber defence and offense capabilities after the Stuxnet attacks.

“The Iranian situation is difficult to talk about,” Shelton told reporters. “It’s clear that the Natanz situation generated reaction by them. They are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States.”

Has the chickens come home to roost or is this just more war mongering to get yet more defense buget share?